If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: What can someone do after discovering a "exploit"?

Ok.. done some further study...And this algorithm definitely works with Thomson TG585 v7 router. I have calculated WPA PSK manually as well as with this python script http://pastebin.com/tjV2RZ23 and it matches.

Re: What can someone do after discovering a "exploit"?

Originally Posted by Snayler

No! I'm not that smart Back in April 2008, Kevin Devine discovered that flaw (calculating the default password from the serial number) and created a PoC where you can calculate all possible default passwords based on the last 6 chars of the default SSID. Around 2009/2010, Thomson (I guess) fixed this issue by changing the last chars of the SSID to the last 6 chars of the AP's MAC address. This fixed the vulnerability found by Kevin, but I discovered that the router freely announces it's serial number through WPS. So I just had to check Kevin's discovery on how to calculate the default password from the serial number and ta-da! Vulnerability found. If you want, you can read more about Kevin's findings in the link posted by hannah. If you want a more hardcore explanation, you can read it here:

Code:

http://www.hakim.ws/st585/KevinDevine/

Cheers!

Thanks for the info! It's amazing he was able to reverse-engineer the setup installer to arrive at the conclusion.

I'm pretty sure the default WPA PSK is derived from the BSSID somehow, because the serial number is just the decimal form of the BSSID. Using some kind of hashing function makes sense, because it's easy to ensure uniform output. I don't think there is any setup executable available for these routers, but I'm excited to try some different hashing methods to see what I get.

So the question is what is the new algorithm and is there something I am doing here wrong.

Reagrds

No, you're doing it right. That router has the new algorithm, you can check it by looking at the serial number, if it starts with 10 (means it was made in 2010) it will probably not be vulnerable (early 2010 routers are still exploitable). They started using the new algorithm on new routers and as far as I know, this new algorithm is not known.

Originally Posted by ternarybit

Thanks for the info! It's amazing he was able to reverse-engineer the setup installer to arrive at the conclusion.

I'm pretty sure the default WPA PSK is derived from the BSSID somehow, because the serial number is just the decimal form of the BSSID. Using some kind of hashing function makes sense, because it's easy to ensure uniform output. I don't think there is any setup executable available for these routers, but I'm excited to try some different hashing methods to see what I get.

We currently have a case in my country where someone was able to dump the algorithm from a router distributed by a major ISP. The instructions are in Assembly for ARM and there is a community trying to reverse-engineer the instructions. So far it is known that the code is calculating the wpa-key based on the router's MAC address. I believe Thomson is using a similar technique on their new algorithm.